Malicious PDF — malware analysis report

Static analysis result for SHA-256 58963a64b19f5b89…

MALICIOUS

PDF

38.2 KB Created: 2020-09-18 04:36:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0348851e541bad56e8b85dbd00424d73 SHA-1: ecade308f3a379bca7a7b273b67e6277a5aa098b SHA-256: 58963a64b19f5b89404b33a465d669b8dc5c61e7a41ceb8caa7395ffd3a34fdb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high density of external links, many of which point to redirector infrastructure. The primary malicious URL identified is https://ttraff.me/wix?keyword=super+mario+maker+3ds+rom, which is likely used to direct users to further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=super+mario+maker+3ds+rom
    • http://files.rootedandrestored.org/uploads/1/3/1/8/131871416/6ab6af876.pdf
    • http://files.enviroleblanc.com/uploads/1/3/1/3/131381518/6985609.pdf
    • http://metifadol.marinashacola.com/uploads/1/3/2/8/132816202/finedowasobugafax.pdf
    • http://talojuwow.littleannadesigns.com/uploads/1/3/1/6/131636772/tatarelu_xovaz_lakuvorivu_bekuwasarum.pdf
    • http://files.cloudcatmedia.com/uploads/1/3/1/4/131437222/9868216.pdf
    • https://fee0bd53-e364-4064-9c77-4eed96379755.filesusr.com/ugd/89363e_64e1622c13fa4bf2b9957e0e4d66fef7.pdf?index=true
    • https://4524d377-4397-41b4-9ebe-b6b4d8ce5d0f.filesusr.com/ugd/c5d40f_98d7270746f2457387817b1e170dba9e.pdf?index=true
    • https://e1253266-ff06-49d6-8db4-c35f377df742.filesusr.com/ugd/7ab50f_20128c3aeb1742d799213eee463e314f.pdf?index=true
    • https://dce2ef38-6231-4c72-96df-fa1f0bf82676.filesusr.com/ugd/98e2de_ff286fbdbd9448838d28d11fca775151.pdf?index=true
    • https://69e43390-8f31-4700-ae62-fb50172d45f7.filesusr.com/ugd/21e9e0_8b191f730c234480a8045ea46cb0155c.pdf?index=true
    • https://2d71682f-d2ae-4002-b42f-11585e70ab08.filesusr.com/ugd/d2759c_192874e227cf43b59c5fd5a3e95855db.pdf?index=true
    • https://697fb011-5326-43ca-832b-4e8795fc08f9.filesusr.com/ugd/f241d9_c0867e2807e348a8b0956bfe2c33ae34.pdf?index=true
    • https://fd52cdbb-6f9d-485f-986f-413a04abded7.filesusr.com/ugd/e73fea_87e4c7a24f3b48fa959ea67448b37244.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000563f.bin
537130d88354150ddeb86106d4bc62b8f67f8a97311b2c6887cbd28b2cb08a95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x563F 5404 bytes
font_01_sfnt_off00006886.bin
a3a65509519ef7939100e13000c39451a8089ae34a443a587eacc67991e90f53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6886 10512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.